Firstly, can someone be kind enough to paste some data from their default conf files here for me to compare to my setup.
###############################################
From:www.conf/usr/share/defaults/php/php-fpm.d/www.conf

Does the top line or is there a line anywhere for:user ?????;
###############################################
At this point trying to establish Clear Linux’s default Nginx-Mainline worker process user (is it nobody or httpd)
and
php-fpm (is user nobody or httpd and the group is it nobody or httpd)

One point to ask is, since Clear Linux doesn’t have Apache bundle, why is there a httpd user on the system if Nginx defaults to user nobody? Maybe some other bundle created user httpd?

Then can try move on to other complications as I have insurmountable permissions confusion concerning owner:group file/dir mode on my system.

I have system level user account development with ssh, sftp access.
I have system level group httpDEV

Group httpDEV has users httpd & development

I have a directory postAdsMedia it is used by Symfony Web App to allow users to Create an Ad with ability to upload Images & Video. A PDF invoice is created and saved to disk when the user finalises the posting process.

Since nginx-mainline my php www.conf has user httpd defined, the media directories are owner:group httpd:httpd both have rwx mode.

If postAdsMedia owner and group is anything other than httpd including if the group is httpDev (which user httpd is apart of) I get permissions error and cannot write to the directories.

I cannot fathom why if the user httpd (php-fpm & nginx worker) is in the group httpDev which has rwx mode why it doesn’t have write access.

Such as if postAdsMedia where development:httpDEV both rwx.development & httpd users are in httpDEV group.

Maybe I need set owner to development and add user httpd to group development, but I struggle to come up with reason why this would work.

It leads me to think there’s some other phantom user maybe nobody interfering, since nobody is not in group httpDEV (hence one requesting default nginx/php conf users info, maybe I need consider reset all user back to nobody.

The other complications involve Git push/merging.
Local user account is development and is the Git account.
Every Git push/merge keeps changing the owner:group of every file/dir it touches from httpd:httpDEV to development:development.

There are no users assigned to group development and so after a Git it breaks many areas of my site and I have to change owner of everything back to httpd:httpDEV, royally annoying.

When it comes to directories, it’s generally acknowledged that mode 755 is acceptable but files, is not so clear cut. I see no apparent reason for Public to have read or write or execute on any php file, script php code file or Symfony packages. For these I seem to expect 644 user rw, group r, public.

Maybe 660 rw for both owner:group is the maximum mode needed, but ask the question and a get a million different answers. I don’t see reason for php user to write to any file, read yes, execute I see no reason either.

I prefer avoid an extermination strategy, that is, set php/nginx user to account user development and set all file/dir to development:development.

One point to ask is, since Clear Linux doesn’t have Apache bundle, why is there a httpd user on the system if Nginx defaults to user nobody ? Maybe some other bundle created user httpd ?

User id’s are assigned statically right now. That means that every ClearLinux system has the same uid’s for things like httpd, postfix, dovecot, etc… This is the case whether you have those bundles installed or not. In the future, we are going to change that, and it will become dynamic based on installed bundles. But right now that is not the case.

A lot of the currently used uid/gids for apache/nginx/php are a bit of a mess, and changing them might actually break running instances, so we have to be really careful to attempt to fix it.

With php-fpm, it’s the php processes that write to the data folders, and not nginx, so what matters for writable data directories is what uid php-fpm runs as - nginx won’t be writing to those, and it might not even be reading from them either - all nginx does is talk to the php-fpm socket. At least, this is true for wordpress and nextcloud, which is what I use myself.

nginx is configured to use httpd:httpd user id’s just like apache by default:

--user=httpd
--group=httpd

You can change it, but there’s very little value in doing that. By default, it should be able to talk to php-fpm because /run/php-fpm.sock runs with these permissions:

srw-rw---- 1 root httpd 0 Apr 1 18:05 /run/php-fpm.sock

In other words: group httpd can read/write the php-fpm socket, which nginx is part of.

This last permission is defined in /usr/share/defaults/php/php-fpm.d/www.conf:

listen.group = httpd
listen.mode = 0660

Last, php-fpm actually doesn’t run as root, but changes uid to nobody as defined, in the same file, by this:

user = nobody
group = nobody

Now, THIS part is likely the only thing you want to change, since nobody is generally not a good uid to use for writable stuff like this.